CVE-2021-22060

7 documents6 sources

Severity

4.3MEDIUM

EPSS

0.2%

top 62.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Spring Framework Oracle Communications Cloud Native Core Console Oracle Communications Cloud Native Core Service Communication Proxy

Timeline

PublishedJan 10

Latest updateJan 12

Description

In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages5 packages

▶Mavenorg.springframework:spring-core5.3.0 — 5.3.14+1

▶NVDvmware/spring_framework5.2.0 — 5.2.18+1

▶CVEListV5spring_frameworkSpring Framework 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions

▶NVDoracle/communications_cloud_native_core_console1.9.0

▶NVDoracle/communications_cloud_native_core_service_communication_proxy1.15.0

🔴Vulnerability Details

GHSA

Log entry injection in Spring Framework↗2022-01-12

▶

OSV

Log entry injection in Spring Framework↗2022-01-12

▶

OSV

CVE-2021-22060: In Spring Framework versions 5↗2022-01-10

▶

CVEList

CVE-2021-22060: In Spring Framework versions 5↗2022-01-07

▶

📋Vendor Advisories

Red Hat

springframework: Additional Log Injection in Spring Framework (follow-up to CVE-2021-22096)↗2022-01-10

▶

Debian

CVE-2021-22060: libspring-java - In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupport...↗2021

▶